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Abstract 

Hybrid logic with binders is an expressive specification language. Its satisfiability 
problem is undecidable in general. If frames are restricted to N or general linear 
orders, then satisfiability is known to be decidable, but of non-elementary complexity. 
In this paper, we consider monotone hybrid logics (i.e., the Boolean connectives are 
conjunction and disjunction only) over N and general linear orders. We show that the 
satisfiability problem remains non-elementary over linear orders, but its complexity 
drops to PSPACE-completeness over N. We categorize the strict fragments arising 
from different combinations of modal and hybrid operators into NP-complete and 
tractable (i.e. complete for NC 1 or LOGSPACE ). Interestingly, NP-completeness 
depends only on the fragment and not on the frame. For the cases above NP, satisfi- 
ability over linear orders is harder than over N, while below NP it is at most as hard. 
In addition we examine model-theoretic properties of the fragments in question. 



Keywords: satisfiability, modal logic, complexity, hybrid logic 



2 The Complexity of Monotone Hybrid Logics over Lin. Frames and the Nat. Numbers 



1 Introduction 

Hybrid logic is an extension of modal logic with nominals, satisfaction oper- 
ators and binders. The downarrow binder 4-, which is related to the freeze 
operator in temporal logic [11], provides high expressivity. The price paid is 
the undecidability of the satisfiability problem for the hybrid language with the 
downarrow binder 4- [4,10,1]. In contrast, modal logic, and its extension with 
nominals and the satisfaction operator, is PSPACE-complete [12,1]. 

In order to regain decidability, syntactic and semantic restrictions have been 
considered. It has been shown in [21] that the absence of certain combinations 
of universal operators (□, A) with 4- brings back decidability, and that the 
hybrid language with 4- is decidable over frames of bounded width. Furthermore, 
this language is decidable over transitive and complete frames [16], and over 
frames with an equivalence relation (ER frames) [15]. Adding the at-operator 
@ — which allows to jump to states named by nominals — leads to undecidability 
over transitive frames [16], but not over ER frames [15]. Over linear frames 
and transitive trees, 4- on its own does not add expressivity, but combinations 
with @ or the global modality — an additional O interpreted over the universal 
relation — do. These languages are decidable and of non-elementary complexity 
[9,16]; if the number of state variables is bounded, then they are of elementary 
complexity [18,23,5]. 

We aim for a more fine-grained distinction between fragments of different 
complexities by systematically restricting the set of Boolean connectives and 
combining this with restrictions to the modal/hybrid operators and to the 
underlying frames. In [14], we have focussed on four frame classes that allow 
cycles, and studied the complexity of satisfiability for fragments obtained by ar- 
bitrary combinations of Boolean connectives and four modal/hybrid operators. 
The main open question in [14] is the one for tight upper bounds for monotone 
fragments including the D-operator. Even though there are many logics for 
which the restriction to monotone Boolean connectives leads to a significant 
decrease in complexity, it is not straightforward, and therefore interesting to 
find out, where this happens for hybrid logics. 

In this study, we classify the computational complexity of satisfiability for 
monotone fragments of hybrid logic with arbitrary combinations of the opera- 
tors O, □, 4- and @ over linear orders and the natural numbers. Whereas the full 
logic is non-elementary and decidable [16] for both frame classes, we show that 
in the monotone case this high complexity is gained only over linear orders and 
drops to PSPACE-completeness over the natural numbers. Informally speaking, 
the reason is that linearly ordered frames may consist of arbitrarily many dense 
parts that can be distinguished using the expressive power of all four opera- 
tors. These dense parts and their distances are used to store information that 
cannot be stored in a frame without dense parts as, e.g., the natural numbers. 
For all other monotone fragments that contain the O-operator, we show NP- 
complcteness independent on the frame class, for linear orders, all remaining 
fragments (i.e. the fragments without O) can be shown to be NC 1 -complete. 
The reason is, informally speaking, that all (sub-)formulas of the form na are 
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easily satisfied in a state without successor, which can essentially be used to 
reduce this problem to the satisfiability problem for monotone propositional 
formulae. This argument does not go through over the natural numbers, a 
total frame where every state has a successor. Over this frame class, we give 
a decision procedure that runs in logarithmic space for the fragment with all 
operators except O (and prove a matching lower bound), and in NC 1 for all 
other fragments. 

These results give rise to two interesting observations. First, the NP- 
completeness results are independent on the frame class. Second, for the frag- 
ment whose satisfiability problem is above NP, linear orders make the problem 
harder than the natural numbers, and for the richest fragment below NP, it is 
the opposite way round — the natural numbers make the problem harder than 
linear orders. Notice also that, in the case where Boolean operators are not 
restricted to monotone ones, all fragments are NP-hard. 

Our results are shown in Figure 1. 




^ lin: decidable, non-elementary 
N: PSPACE-complete 

Q NP-complete 

quasi-polysize model property 



^ lin: NC^complete; N: LOGSPACE-compl. 
canonical model property 

Q NC'-complete 

canonical model property 



Fig. 1. Our complexity results for satisfiability over linear frames (lin) and the nat- 
ural numbers (N) for hybrid logic with monotone Boolean operators and different 
combinations of modal/hybrid operators 



2 Preliminaries 



Hybrid Logic. In the following, we introduce the notions and definitions of 
hybrid logic. The terminology is largely taken from [2]. 
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Let Prop be a countable set of atomic propositions, Nom be a countable set 
of nominals, SVar be a countable set of variables and Atom = PropUNomU 
SVar. We adhere to the common practice of denoting atomic propositions by 
p,q, . . ., nominals by . . ., and variables by x, y, . . . We define the language 
of hybrid (modal) logic HC as the set of well-formed formulae of the form 

p ::= a | T | _L | -up p A p | p V p Op | Up \ {x.p> \ @ t (fi 

where a £ Atom, x £ SVar and t £ Nom U SVar. 

We define the usual Kripke semantics only to be able to refer to already 
existing results. We will then simplify the standard semantics for monotone 
formulae. Formulae of %C are interpreted on (hybrid) Kripke structures K = 
(W,R,n), consisting of a set of states W, a transition relation R: W x W, 
and a labeling function r\: Prop U Nom -> p(W) that maps Prop and Nom 
to subsets of W with \i](i)\ = 1 for all i £ Nom. The relational structure 
(W, R) is the Kripke frame underlying K . In order to evaluate ^-formulae, 
an assignment g: SVar — > W is necessary. Given an assignment g, a state 
variable x and a state w, an x-variant g% of g is defined by g^j(x) = w and 
9w( x ') — 9( x ') f° r au x x ' ■ F° r an Y a € Atom, let [n,g](a) — {g(a)} if 
a G SVar and [77, g] (a) = i](a), otherwise. The satisfaction relation of hybrid 
formulae is defined as follows. 



K,g,w \= <p A V 
K,g,w \= a 
K,g,w^ T, 
K,g,w^ -«p 
K,g,w\= <p Aip 
K,g,w \= pV ip 
K,g,w^ Op 
K,g,w^ Up 
K,g,w^= @ t f 
K,g,w \= Ix.p 



if and only if 3w' £ W(wRw' & K, g, w' \= p) 

if and only if w £ [i],g](a) 7 a 6 Atom, 

and K,g,w Y= -U 

if and only if K,g,w ^ p, 

if and only if K, g, w \= p and K, g,w \= ip, 

if and only if K, g, w ^ p or K,g,w \= ip, 

if and only if 3w' £ W{wRw' & K 7 g 7 w' \= ip), 

if and only if Vu/ £ W(wRw' =^ K,g,w' \= p), 

if and only if K, g, [rj, g](t) \= p, 

if and only if K, g^, w \= p. 

A hybrid formula p is said to be satisfiable if there exists a Kripke structure 
K = (W, R, -q), a w £ W and an assignment g : SVar — > W with K,g,w \= p. 

The at operator @ t shifts evaluation to the state named by t £ NomUSVar. 
The downarrow binder ^x. binds the state variable x to the current state. The 
symbols @ x , {x. are called hybrid operators whereas the symbols O and □ arc 
called modal operators. 

The scope of an occurrence of the binder ! is defined as usual. For a state 
variable x, an occurrence of x or @ x in a formula p is called bound if this 
occurrence is in the scope of some \, in p, free otherwise. p> is said to contain 
a free state variable if some x or @ x occurs free in p. 

Given two formulae ip, a and a subformula ip of p, we use (fi[tp/a] to denote 
the result of replacing each occurrence of ip in p with a. For considering 
fragments of hybrid logics, we define subsets of the language HjC as follows. 
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Let O be a set of hybrid and modal operators, i.e., a subset of {O, □, 4-, @}. We 
define HC(0) to denote the set of well-formed hybrid formulae using only the 
operators in O, and MrlC(O) to be the set of all formulae in rlC(0) that do 
not use -i. 

Properties of Frames. A frame F is a pair (W,R), where W is a set of 
states and R C W x W a transition relation. A frame F = (W, R) is called 

• transitive if R is transitive (for all u,v,w € W: uRv A vRw — > uRw), 

• linear if R is transitive, irreflexive and trichotomous (\/u,v e W: uRv or 
u = v or vRu), 

In this paper we consider the class of all linear frames, denoted by lin, and 
the singleton frame class {(N, <)}, denoted by N. Obviously, N C lin. 

Notational convenience. We can make some simplifying assumptions about 
syntax and semantics, of HC(0) and AirlC(0), which do not restrict gener- 
ality. (1) If 4- G O, then formulae do not contain any nominals. Those can 
be simulated by free state variables. (2) Free state variables are never bound 
later in the formula, and every state variable is bound at most once. The lat- 
ter is no significant restriction because variables bound multiple times can be 
named apart, which is a well-established and computationally easy procedure. 
(3) Monotone formulae do not contain any atomic propositions. This restric- 
tion is correct because every monotone formula ip is satisfiable if and only if tp 
with all atomic propositions replaced by T is satisfiable. This justifies the fol- 
lowing restrictions. (4) For binder-free fragments, the domain of the labelling 
function rj is restricted to nominals, and we re-define 77: Nom — > W . Further- 
more, the absence of 4- makes assignments superfluous: we write F, w \= ip 
instead of F, g,w \= p. (5) For binder fragments, the satisfaction relation (= 
is restricted to Kripke frames F — (W, <), where < is a linear order, and as- 
signments g : SVar — > W, i.e., we write F,g,w f= ip. (6) Over N, we omit the 
single Kripke frame, i.e., we write r\,i |= p with 77 : Nom — > N and i e N for 
binder-free fragments, and g,i \= p with g : SVAR — > N for binder fragments. 

Satisfiability Problems. The satisfiability problem for %C{0) over the 
frame class J is defined as follows: 

Problem: £-SAT(0) 

Input: an "H£(0)-formula <p (without nominals, see above) 
Output: Is there a Kripke structure K based on a frame (W, R) € an 
assignment g: SVar — > W and a w € W such that K, g,w \= <p? 

The monotone satisfiability problem for A4HC(0) over the frame class # is 
defined as follows: 

Problem: £-MSAT(0) 

Input: an A4H£(0)-formula ip without nominals and atomic propositions 
Output: Is there a Kripke frame (W, R) 6 an assignment g: SVar — > W 
and a w G W such that F,g,w \= ip? 
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If $ is the class of all frames, we simply write SAT(O) or MSAT(O). Fur- 
thermore, we often omit the set parentheses when giving O explicitly, e.g., 
SAT(0, n,|,@). 

Complexity Theory. We assume familiarity with the standard notions of 
complexity theory as, e.g., defined in [17]. In particular, we make use of the 
classes LOGSPACE, NLOGSPACE, NP, PSPACE, and coRE. The complexity 
class NON ELEMENTARY is the set of all languages A that are decidable and 
for which there exists no k € N such that A can be decided using an algorithm 
whose running time is bounded by exp fe (n), where exp fc (n) is the fc-th iteration 
of the exponential function (e.g., exp 3 (n) = 2 2 ). 

Furthermore, we need two non-standard complexity classes whose defini- 
tion relies on circuit complexity and formal languages, see for instance [22,13]. 
The class IMC 1 is defined as the set of languages recognizable by a logtimc- 
uniform family of Boolean circuits of logarithmic depth and polynomial size 
over {A, V, -i}, where the fan-in of A and V gates is fixed to 2. The class 
LOGDCFL is defined as the set of languages reducible in logarithmic space to 
some deterministic context-free language. 

The following relations between the considered complexity classes are 
known. 

NC 1 C LOGSPACE C LOGDCFL C NP C PSPACE c coRE. 

It is unknown whether LOGDCFL contains NLOGSPACE or vice versa. 

A language A is constant- depth reducible to D, A ^ c( j D, if there is a logtime- 
uniform AC°-circuit family with oracle gates for D that decides membership in 
A. Unless otherwise stated, all reductions in this paper are ^ c( j-reductions. 

Known results. The following theorem summarizes results for hybrid lan- 
guages with Boolean operators A, V, -i that are known from the literature. Since 
Hip = -iO-np, the D-operator is implicitly present in all fragments containing 
O and negation. 

Theorem 2.1 ([1,2,3,9,16]) 

(1) SAT(0,|, @) and SAT(0,4.) are coRE- complete. [1] 

(2) MSAT(0, □) is PSPACE-Ziarrf. [3] 

(3) S r -SAT(0,|, @), forSe {lin,N} 7 are in NONELEMENTARY. [9,16] 

(4) £-SAT(0,4.), £-SAT(0,@) and ff-SAT(O), with e {lin,N}, are HP- 
complete. [2,9] 

Our contribution. In this paper, we consider the monotone satisfiability 
problems S--MSAT(O) for £ G {lin, N} and all O C {O, □, I, @}. 

3 The hard cases: Non-elementary and PSPACE results 

The hardest cases are those with the complete set of operators. In the non- 
monotone case, both satisfiability problems are non-elementary and decidable 
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[16]. We show that in the monotone case even this hardness is reached, but only 
on linear frames, i.e. Iin-MSAT(0, □ @) is non-elementary and decidable. In 
contrast, on the natural numbers the complexity decreases, i.e. we show that 
N-MSAT(0, n,|,@) is PSPACE-complete. 

Our proofs use reductions to and from fragments of first-order logic on the 
natural numbers. Let J r O£(<, P) be the set of all first-order formulae that use 
< as the unique binary relation symbol, and P as the unique unary relation 
symbol. 1 Let N-SATjro£(<, P) denote the set of formulae from FOC{<,P) 
which are satisfied by a model that has N as its universe, interprets < as 
the less-than relation on N x N, and has an arbitrary interpretation for the 
predicate symbol P. It was shown by Stockmeyer [20] that N-SATjro/;(<, P) 
is non-elementary. 

Let J-OC(<) be the fragment of J r O£(<, P) in which the predicate symbol 
P is not used. Accordingly, N-SATjr C) £(<) denotes the set of formulae that 
are satisfiable over N and the natural interpretation of <. It was shown by 
Ferrante and Rackoff [8] that N-SA1> 0£ (<) is in PSPACE. 

Notice that in both fragments x — y can be expressed as ->(x < y V 
y < x). Moreover, every n £ N can be expressed by x n in the formula 

3x ■ ■ ■ 3x„_i [(Ai=0,l,...,n-1 x i < ^i+l) A Vy( x n < V V V, .,; „ V = 

Theorem 3.1 lin-MSAT(0, □, |, @) is non- elementary and decidable. 

Proof. Decidability follows from Theorem 2.1 (3). To establish non- 
elementary complexity, we give a reduction from N-SATjro£(<, P). 

We first show how to encode the intepretation of a predicate symbol, rep- 
resented by a set P C N, in a linear frame F — (W, <) - without using atomic 
propositions and nominals as agreed in Section 2. Using free state variables, 
we can only distinguish linearly many states at any given time. We therefore 
use finite intervals (finite subchains of (W, <)) to encode whether n £ P. Such 
an interval — we call it a marker — has length 2 (resp. 3) if for the correspond- 
ing n holds n £ P (resp. n £ P). Accordingly, we call a marker of length 2 
(resp. 3) negative (resp. positive). These finite intervals are separated by dense 
intervals — those are intervals wherein every two states have an intermediate 
state, e.g., [0, 1] Q = {q £ Q \ q sC 1}. For example, the set P with 0, 2 g P 
and 1 £ P is represented by the chain in Figure 2. In our fragment, it is pos- 
sible to distinguish between dense and finite intervals. We now show how to 
achieve this. In order to encode the alternating sequence of finite and dense 
intervals that represents a subset P C N, we use the free state variable a to 
mark a state in a dense interval that is directly followed by the first marker. 
We furthermore use the following macros, where x and y are state variables 
that are already bound before the use of the macro, and r, s, t, u are fresh state 
variables. 



1 I.e. TOC{<, P) is defined as set of all formulae <p as follows. 

ip ::= T | x < y \ P(x) \ ^ip \ ip A ip \ ip V ip \ 3x ip \ \/x ip 
for variable symbols x, y g SVar. 
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^ P 1 G P 2£P 

v is a direct successor of w 



Legend: (w) >(v) 

(wy^s^ ■ ■ ■ 



w and v are begin and end of a dense interval 
there arc dense and nondense intervals behind w 



Fig. 2. An example with 0, 2 g P and 1 £ P. 

• T/ie staie named y is a direct successor of the state named x. It suffices to 
say that all successors of x are equal to, or occur after, y. 

dirSuc(x,y) := @ x Diz.(@ y z V @ y Oz) 

• The state named x has no direct predecessor. It suffices to say that, for all 
states r equal to, or after, the left bound a: if r is before x, then there is a 
state between r and x. We work around the implication by saying that one 
of the following three cases occurs: r is after x, or r equals x, or r is before 
x with a state in between. 

noDirPred(x) := @ a nir.(@ x Or V @ x r V @ r OOx) 

• The state named x has a direct predecessor. It suffices to say that there is a 
state r after a of which x is a direct successor. 

dirPred(x) := @ a O|r.dirSuc(r, x) 

• The interval between states x, y is dense. We say that, for all r with x < r : 
r is after y, or r has no direct predecessor. 

dense(a;, y) := @ x nir.(@ y Or V noDirPred(r)) 

• The state x is in a separator. This macro says that, for some successor r of 
x, the interval between x and r is dense. 

sep(x) := @ x Olr.dense(x,r) 

• The state x is the begin of a negative marker. This macro says that x has a 
direct successor that is the begin of a separator, and x has no direct predeces- 
sor. The latter is necessary to avoid that, in the above example, the middle 
state of a positive marker is mistaken for the begin of a negative marker. 

neg(x) := @ K 0|r.(dirSuc(x, r) Asep(r)) A noDirPred(x) 

• The state x is the begin of a positive marker. Similarly to the above macro, 
we express that x has a direct-successor sequence r, s with s being the begin 
of a separator, and x has no direct predecessor. 

pos(x) := @ K 0|r.(dirSuc(x, r) A 0|s.(dirSuc(r, s) A sep(s))) A noDirPred(cc) 

• The state x is in a separator whose end is a marker. This macro says that, 
for some successor r of x, the interval between x and r is dense and r is the 
begin of a marker. 

sepM(a;) := @ x Olr.(der\se(x, r) A (neg(r) V pos(r))) 

We now need the following two conjuncts to express that the part of the model 
starting at a represents a sequence of infinitely many markers. 
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• a is in a separator that ends with a marker. tpi := sepM(a) 

• Every marker has a direct successor marker. We say that every state r after 
a satisfies one of the following conditions. 

• r is in a separator — this also includes that r is the end of a marker — that 
is followed by a marker. 

• r is the begin of a negative marker and its direct successor is the begin of 
a separator whose end is a marker. 

• r is the begin of a positive marker and its direct 2-step successor is the 
begin of a separator whose end is a marker. 

• r in the middle of a positive marker, i.e., r has a direct predecessor which 
is the begin of a positive marker, and r's direct successor is in a separator 
whose end is a marker. 



Finally, we encode formulae ip from TOC(<, P). We assume w.l.o.g. that such 
formulae have the shape <p> := Q1X1 . . . Q n x n .(3(xi, . . . ,x n ), where Qi € {3,V} 
and j3 is quantifier-free with atoms P(x) and x < y for variables x, y, such that 
negations appear only directly before atoms. The transformation of ip reuses 
the Xi as state variables and proceeds inductively as follows. 



f{P{Xi)) 


= pos(a; i ) 




= neg(xi) 


f(Xi < Xj) 


= ® Xi Oxj 


f(-i(Xi < Xj)) 


= @ Xi Xj \/@ Xj Oxi 


f(a A P) 


- /(«)A/(/3) 






f(3xi.a) 


= @ a <>ixi.\Aneg{xi) V pos(x 4 )) A f(a 



The transformation of ip into MT-LC(0, □, |, @) is now achieved by the function 
g defined as follows. 

g(<p) := fa A i) 2 A f(<p) 

It is clear that the reduction function g can be computed in polynomial time. 
The correctness of the reduction is expressed by the following claim. 




) AsepM(s)) 





10 The Complexity of Monotone Hybrid Logics over Lin. Frames and the Nat. Numbers 



Claim 3.2 For every formula ip from FOC(<, P) holds: 

ip G N-SAT^c, £ (<,P) if and only if g(ip) G lin-MSAT(0, 

The proof of the claim should be clear. Since N-SATjr C , £ (< J P) is non- 
elementary [20], it follows that lin-MSAT(0, □, |, @) is non-elementary, too. 

Finally, we note that our reduction uses a single free state variable a, which 
could as well be bound to the first state of evaluation. □ 

The high complexity of lin-MSAT(0, n,|, @) relies on the possibility that 
the linear frame alternatingly has dense and non-dense parts. If we have the 
natural numbers as frame for a hybrid language, we lose this possibility. As 
a consequence, the satisfiability problem for monotone hybrid logics over the 
natural numbers has a lower complexity than that over linear frames. 

Theorem 3.3 N-MSAT(0, □, I, @) is PS PACE -complete. 

Proof. Let QBFSAT be the problem to decide whether a given quantified 
Boolean formula is valid. We show PS PACE- hardness by a polynomial-time 
reduction from the PSPACE-complete QBFSAT to N-MSAT(0, D,i, @). Let 
(p be an instance of QBFSAT and assume w.l.o.g. that negations occur only 
directly in front of atomic propositions. We define the transformation as 
f • ip i ^ lr.Ols.Oh((p) where h is given as follows: let ip, \ be quantified Boolean 
formulae and let x k be a variable in ip, then 



For example, the QBF ip — Vx3y(x A y) V (->a; A is mapped to 

f(<p) = |r.O|s.O@ r n|x .@ r <Hxi.(@ s x A @ s xi) V (@ s Ox A @ s Oxi). 

Intuitively, this construction requires the existence of an initial state named 
r, a successor state s that represents the truth value T, and one or more succes- 
sor states of s which together represent _!_. The quantifiers 3, V are replaced by 
the modal operators O, □ which range over s and its successor states. Finally, 
positive literals are enforced to be true at s, negative literals strictly after s. 

For every model of /((/?), it holds that r is situated at the first state of the 
model and that state has a successor labelled by s. By virtue of the function 
h, positive literals have to be mapped to s, whereas negative literals have to 
be mapped to some state other than s. An easy induction on the structure of 
formulae shows that ip e QBFSAT iff f(<p) e N-MSAT(0, D,i, @). 

We obtain PSPACE-membership via a polynomial-time reduction from 
N-MSAT(0, to the satisfiability problem N-SAT^ z;(<) for the frag- 

ment of first-order logic with the relation "<" interpreted over the natural 
numbers. Let the first order language contain all members of SVar as vari- 
ables and all members of Nom as constants. Based on the standard translation 
from hybrid to first-order logic [21], we devise a reduction H that maps hybrid 



h(3x k iP) := @ r Olx k .h{ip) 
/i(V'Ax) := h(ip) A h(x), 
h(^x k ) := @ s <>x k , 



h{\fx k ip) := @ r nlx k .h(tp), 

/i(V>v x ) :=MV)v/i(x), 

h(x k ) := @ s x k . 
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formulae ip and variables or constants z to first-order formulae. 



H(p, z) := T for p E PROP 
H(a A [3, z) := H(a, z) A H(/3, z) 
H(Oa, z) := 3t{z < t A H(a, t)) 
H(lx.a, z) := 3x(x = z A H(a, z)) 



H(v, z) := v = z for v e SVar U Nom 
H(a V /3, z) := H(a, z) V H(f3, z) 
H(aa, z) := Vt(z < t ->• H(a, t)) 
H(@ x a,z) :=H{a,x) 



In the O, □ and ©-cases we deviate from the usual definition of the standard 
translation because we do not insist on using only two variables in addition to 
SVar — therefore it suffices to require that t is a fresh variable — and we allow 
constants in the second argument. 

For a first-order formula ip with variables in SVar and an assignment g : 
SVar — > N, let ip[g] denote the first-order formula that is obtained from tp by 
substituting every free occurrence of x G SVar by the first-order term that 
describes g(x). 

Claim 3.4 For every instance ip o/N-MSAT(0, D,-l, @), every assignment g ■ 
SVAR — > N and every neN, it holds that: g,n \= tp if and only if (N, <) |= 
H ((p, z)[g^\, where z is a new variable that does not occur in f. 

Proof of Claim. We prove the claim inductively on the construction of tp. 
ip = v for v e SVar: g,n\= v iff^) g(v) = n 

iff(2) 9n{v)=g Z n{z) 
iff (3) (N,<)|= = 

Justifications for the equivalences: (I) is by the definition of |= for hybrid 
logic, (2) extends g by the new variable z, and (3) uses the definition of |= 
for first-order logic over (N, <). 

ip = a A [3 resp. ip — aV (3: straightforward. 

ip = Oa: g, n \= Oa iffm 3t' > n : g, t' \= a 

iff (2) 3t'>n:(N,<) \= H{a,t)\g\,] 
iff (3) (N,<)\=3t(z<tAH(a,t))[g* n ]. 
(1) and (2) are by definition resp. by induction hypothesis. For (3), notice 
that the variable t may appear free in H(a, t) but it does not appear free 
in 3t(z < t A H(a, t j). The equivalence then follows by the semantics of the 
considered first-order logic. 

ip = Da: g, n \= not iffm Vt' > n : g,t' \= a 

iff (2) Vt'>n: (N,<) \=H(a,t)[gl,} 
iff (3) (N,<)\=Vt(z<t^H(a,t))[g* n }. 
(1) and (2) are by definition resp. by induction hypothesis. The arguments 
for (3) are as in the case above. 

ip = \.x.a: g, n \= ^x.a iff^) g^,n\^a 

iff (2) (H,<)\=H(a,z)M)' n ] 
iff (3) (N,<)\=3x(x = zAH(a,z))[g* n }. 
(1) and (2) are from the definition of J, and from the induction hypothesis. 
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Eventually, (3) follows from the semantics of FOL over (N, <). 

<p = @ x a: g,n\=@ x a iff (1) g,g(x)\=a 

iff (2) (N,<)\=H(a,z)[g* g{x) ] 
iff (3) (N,<)\=3z(x = zAH(a,z))[g] 
iff (4) (N,<)\=3z(x = zAH(a,z)M}. 
(1) and (2) are from the definition of I and from the induction hypothesis. 
Now, (3) follows from the semantics of FOL over (N, <). Notice that z docs 
not appear free in 3z(x — z A H (a, z)). This proves Equivalence (4). 

This concludes the proof of the claim. O 
Now, Lp G N-MSAT(0, □, I, @) if and only if g, |= ip V Oip for some assign- 
ment g. By the above claim, this is equivalent to (N, <) |= H(ip\/Oip, z)[g^\ for 
some g and a new variable z, which can also be expressed as (N, <) \=\/x{-^{x < 
z)AH(ip\/Oip, z)). This shows that N-MSAT(0, □, |, @) is polynomial-time re- 
ducible to N-SATjro£(<), which was shown to be in PS PACE in [8]. Therefore, 
N-MSAT(0, □,!,©) is in PSPACE. □ 

4 The easy cases: NC 1 and LOGSPACE results 

In this section, we show that the fragments without the O-operator have an 
easy satisfiability problem. Our results can be structured into four groups. 
First, we consider fragments without modal operators. For these fragments 
we obtain NC 1 -completeness. Simply said, without negation and O we cannot 
express that two nominals or state variables are not bound to the same state. 
Therefore, the model that binds all variables to the first state satisfies every 
satisfiable formula in this fragment. 

Lemma 4.1 Let F = ({O},0) and go(y) — for every y G SVar. Then 
ip G lin-MSAT(|, @) (resp. ip G N-MSAT(|,@)J if and only ifF o ,g ,0 \= ip. 

Proof. The implication direction from left to right follows from the monotonic- 
ity of the considered formulas. For the other direction, notice that F G lin. 
For frame class N, note that if F o ,g o ,0 \= <p and ip has no modal operators, 
then g 0} |= <p. □ 

Theorem 4.2 Let O C {|,@}. Then lin-MSAT(O) and N-MSAT(O) are NC 1 - 

complete. 

Proof. NC 1 -hardness of i?-MSAT(0) follows immediately from the NC 1 -com- 
pleteness of the Formula Value Problem for propositional formulae [6]. It re- 
mains to show that lin-MSAT(|, @) and N-MSAT(^, @) are in NC 1 . In order 
to decide whether ip is in lin-MSAT(|, @), according to Lemma 4.1 it suffices 
to check whether the propositional formula obtained from <p deleting all occur- 
rences of Lr. and @ x , is satisfied by the assignment that sets all atoms to true. 
According to [6] this can be done in NC 1 . Since lin-MSAT(|, @) = N-MSAT(|, @) 
by Lemma 4.1, we obtain the same for N-MSAT(4,, @). □ 

Second, we consider fragments with the D-operator over linear frames. We can 
show NC 1 -completeness here, too. The main reason is that (sub-)formulas that 
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begin with a □ are satisfied in a state that has no successor. Therefore similar 
as above, every formula of this fragment that is satisfiable over linear frames is 
satisfied by a model with only one state. 

Theorem 4.3 lin-MSAT(n, |, @) is NC 1 -complete. 

Proof. NC 1 -hardness follows from Theorem 4.2. It remains to show that 
lin-MSAT(n, 4, @) G NC 1 . We show that essentially the D-operators can be 
ignored. 

Claim 4.4 lin-MSAT(n,|, @) < cd lin-MSAT(|, @). 

Proof of Claim. For an instance tp of lin-MSAT(n, |, @), let tp" be the 
formula obtained from ip by replacing every subformula Dip of p with the 
constantT. Then tp" is an instance of lin-MSAT(4-, @). If p G lin-MSAT(n, I, @), 
then ip>" G lin-MSAT(J,, @) due to the monotonicity of p. On the other hand, 
if tp" G lin-MSAT(|,@), then K o ,g,0 \= tp" (Lemma 4.1). Since K a ,g,0 \= □« 
for every a, we obtain Ko,g,0 \= tp, hence tp G lin-MSAT(n, |, @). As such 
simple substitutions can be realized using an AC°-circuit, the stated reduction 
is indeed a valid ^ cd -rcduction from lin-MSAT(n, |, @) to lin-MSATQ,, @). O 

Since lin-MSAT(|, @) G NC 1 (Theorem 4.2) and NC 1 is closed downwards 
under < cd , it follows from the Claim that lin-MSAT(n, |, @) G NC 1 . □ 

It is clear that this argument does not apply to the natural numbers. 

Third, we show N ^-completeness for the fragments with □ and one of I and 
@ over N. They receive separate treatment because, in (N, <), every state has 
a successor, and therefore □-subformulas cannot be satisfied as easily as above. 
It turns out that the complexity of the satisfiability problem increases only if 
both hybrid operators can be used. 

Theorem 4.5 N-MSAT(n, @) is NC 1 -complete. 

Proof sketch. NC 1 -hardness follows from Theorem 4.2. 

For the upper bound, we distinguish occurrences of nominals that are either 
free, or that are bound by a □, or that are bound by an @. Simply said, a free 
occurrence of i in a is bound by □ in Ua and bound by @ in @ x a (even if 
x ^ i). Since the assignment g is not relevant for the considered fragment, we 
write K, w \= a for short instead of K, g,w \= a. 

Claim 4.6 Let a' be the formula obtained from a by replacing every occurrence 
of a nominal that is bound by □ with _L, and let r] be a valuation. If n,k \= a, 
then r],k \= a' . 

Moreover, it turns out that binding every nominal to the initial state suffices 
to obtain a satisfying model. 

Claim 4.7 p G N-MSAT(n,@) if and only if rj a ,0 \= tp with rj (x) = {0} for 
every x G NOM. 

Both claims together yield that, in order to decide tp g N-MSAT(n, @), it 
suffices to check whether r]o,0 \= tp'. No nominal in tp' occurs bound by a 
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□-operator. Therefore for every subformula Da of p 1 and for every k holds: 
r]o, k |= a if and only if 770, |= a. All nominals that occur free or bound by an 
@ evaluate to true in state via 770- Therefore, in order to decide 770, |= <p', it 
suffices to ignore all □ and ©-operators of ip' and evaluate it as a propositional 
formula under assignment 770 that sets all atoms of <p' to true. This can be done 
in NC 1 [6]. The complete proof can be found in Appendix A. □ 

Next, we consider N-MSAT(n, l). According to our remarks in Section 
2 about notational convenience, we assume that there are no nominals in 

MUC(a,i). 

Theorem 4.8 N-MSAT(n,|) is NC 1 -complete. 

Proof sketch. Now, we distinguish occurrences of state variables as the oc- 
currences in the proof sketch above. They are either free, or they are bound by 
a □, or they are bound by J,. Note that this phrasing differs from the standard 
usage of the terms 'free' and 'bound' in the context of state variables. A free 
occurrence of i in a is bound by □ in Da, as above. It is bound by | in i-i.a 
only. Notice that y occurs free in \-X.y (for x 7^ y). 

Claim 4.9 Let a' be the formula obtained from a by replacing every occurrence 
of a state variable that is bound by □ with _L, and let g be an assignment. If 
g,k \= a, then g, k \= a'. 

Claim 4.10 p £ N-MSAT(n,|) if and only if g a ,0 \= ip, for g (x) = for 
every x £ SVar. 

Both claims together yield that, in order to decide ip £ N-MSAT(d, \), it 
suffices to check whether g n ,0 \= ip'. No state variable in p' occurs bound by 
a D-operator. Therefore for every subformula Da of p' and for every k holds: 
go, k |= a if and only if g , \= a. All occurrences of state variables in p' that 
are bound by l evaluate to true, because no □ occurs "between" the binding 
4,7 and the occurrence of i, which means that the state where the variable is 
bound is the same as where the variable is used. All free occurrences of state 
variables evaluate to true in state due to g . Therefore, in order to decide 
go , |= p' , it suffices to ignore all □ and ^-operators of ip' and evaluate it as 
a propositional formula under an assignment that sets all atoms to true. This 
can be done in NC 1 [6]. The complete proof can be found in Appendix B. □ 

The fourth part deals with the fragment with □ and both l and @ over the 
natural numbers. 

Lemma 4.11 N-MSAT(n, |, @) is LOGSPACE-hard. 

Proof. This proof is very similar to the proof of Theorem 3.3. in [14]. We give 
a reduction from the problem Order between Vertices (ORD) which is known 
to be LOGSPACE-complete [7] and defined as follows. 

Problem: ORD 

Input: A finite set of vertices V, a successor-relation S on V, and two 
vertices s, t £ V. 
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Output: Is s t, where denotes the unique total order induced by S 
on VI 

Notice that (V, S) is a directed line-graph. Let (V, S, s, t) be an instance 
of ORD. We construct an Ml-L£(n, I, @)-formula <p that is satisfiable if and 
only if s ^5 t. We use V = {vo,Vi, . . . ,v n } as state variables. The formula 
ip consists of three parts. The first part binds all variables except s to one 
state and the variable s to a successor of this state. The second part of ip 
binds a state variable 17 to the state labeled by s iff s v i- Let a denote 
the concatenation of all @ Vk ivi with (vk,vi) e S and vi ^ s, and a n denotes 
the n-fold concatenation of a. Essentially a n uses the assignment to collect 
eventually all Vi with s ^5 in the state labeled s. The last part of ip checks 
whether s and t are bound to the same state after this procedure. That is, 
<p = ivo -iv\ 4^2- • • • lv n .Ols. a n @ s t. To prove the correctness of our reduction, 
we show that ip is satisfiable if and only if s ^5 t. 

Assume s ^5 t. For an arbitrary assignment g, one can show inductively 
that 5,0^ Ivo-ivi. ■ ■ ■ lv n .Ois. a 1 @ s r for i = 0, 1, . . . , n and for all r that have 
distance i from s. Therefore it eventually holds that <7,0 |= <p. For s ^5 t we 
show that g, n \£ ip for any assignment g and natural number n. Let go be the 
assignment obtained from g after the bindings in the prefix \.vo-lv\. ■ ■ ■ \.v n .nls 
of ip, and let gi be the assignment obtained from go after evaluating the prefix 
of <p up to and including a 1 . It holds that gi{s) ^ gi(t) = for alH = 0, 1, . . . , n. 
This leads to g n , ^= @ s t and therefore g, ^ ip. □ 

For the upper bound, we establish a characterisation of the satisfaction 
relation that assigns a unique assignment and state of evaluation to every sub- 
formula of a given formula ip. Using this new characterisation, we devise a 
decision procedure that runs in logarithmic space and consists of two steps: 
it replaces every occurrence of any state variable x in ip with 1 if its state of 
evaluation agrees with that of its |x-superformula, and with otherwise; it 
then removes all □-, 4-- and ©-operators from the formula and tests whether 
the resulting Boolean formula is valid. 

Theorem 4.12 N-MSAT(n, |, @) is in LOGSPACE . 

The proof can be found in Appendix C. 

5 The intermediate cases: NP results 

After we have seen that all fragments without O have an easy satisfiability prob- 
lem, we show that O together with the use of nominals makes the satisfiability 
problem NP-hard. Recall that, owing to the presence of nominals, A4T-LC(0) is 
not just modal logic with the O-operator. The absence of 4- makes assignments 
superfluous: we write K, w \= (p instead of K, g, w \= ip. 

Lemma 5.1 lin-MSAT(O) and N-MSAT(O) both are HP-hard. 

Proof. We reduce from 3SAT. Let ip — c\ A . . . A c n be an instance of 3SAT 
with clauses Ci, . . . ,c„ (where Cj = (l\ V l\ V Z3) for literals /*•) and variables 
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x\, . . . , x m . We define the transformation as 



where io,«i and all xe are nominals, and the function h is defined as follows: 



h( Cj ) := 0(h(l{) V h(P 2 ) V h(P 3 )), where Cj = (l{ V l{ V P 3 ); 
h(a A • • • A c n ) := h(ci) A • • • A h(c n ). 

Notice that / turns variables in the 3SAT instance into nominals in the 
lin-MSAT(O) instance. The part O(io A Oil) enforces the existence of two 
successors w\ and W2 of the state satisfying /((/?). The part A^Li ^(*o A xg) V 
0(ii A xg) simulates the assignment of the variables in ip, enforcing that each 
xt is true in either w\ or w 2 - The part h(ip) then simulates the evaluation of ip 
on the assignment determined by the previous parts. With the following claim 
NP-hardness of lin-MSAT(O) follows. 

Claim 5.2 if e 3SAT if and only if h(tp) G lin-MSAT(O). 

Proof of Claim. We first show that h{ip) e lin-MSAT(O) implies ip e 3SAT. 
If K, w \= h((p) with K — (W, <,??), then the following holds. Let wx = r](io), 
w 2 = v(ii)j an d 

• {wq, Wi, W2} C W with wo,wi,W2 pairwise different; 

• wo < wi < w 2 ; 

• for all Xj with 1 < j < m : i](xj) C {w\, w 2 }. 

We build a propositional logic assignment (3 — . . . (i m ) that satisfies if, where 
Pi E {_L, T} is the truth value for Xi, as follows. (3j = _L if <?(io) = g(xj), an d 
j8j = T if ,g(ii) = g{xj). From the construction of /i(<^), it clearly follows that 
(3 satisfies if. 

For the converse direction, suppose that ip is satisfied by the propositional 
logic assignment f3 — (/3i . . . (i m ). We construct a linear model K := (W, <, 77) 
containing a state w such that K, w |= /i(</?). 



/: y> O(*o A Oil) A /\ O(i A x £ ) V 0(»i A xi) J A h(ip) 




let ^ be a literal in clause Cj , then 




W := {w, wo, toi} 
< : w < w < w\ 



T](ij) := uij for j E {0, 1} 




It follows from the construction of K that K 7 w \= h{ip). The conjunct h(ip) 
is of the form (h(l{) V h{l\) V A • • • A {h{l\) V /i(Z^) v h(l 3 n )). Hence, under 

/3, at least one literal in every clause evaluates to true. The variable in this 
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literal satisfies the same clause in h(ip). Hence every clause in h(ip) is satisfied 
in w in K. Therefore, K,w \= h(ip). O 

Using this claim, NP-hardness of lin-MSAT(O) follows. It is straightforward 
to show that 3SAT reduces to N-MSAT(O) using the same reduction. □ 

We will now establish N P-membership of the problems 3-MSAT(0, □, 4), 
3-MSAT(0, □,©), and 5 r -MSAT(0, I, @) for £ e {lin,N}. For the first two, 
this follows from the literature, see Theorem 2.1 (4). For the third, we ob- 
serve that all modal and hybrid operators in a formula <p from the fragment 
A41-L£(0, 1, @) are translatable into FOL by the standard translation using no 
universal quantifiers. The existential quantifiers introduced by the binder can 
be skolemised away, which corresponds to removing all binding from (p and 
replacing each state variable with a fresh nominal. The correctness of this 
translation is proven in [21]. Hence, 3-MSAT(0, 1, @) polynomial-time reduces 
to£-MSAT(0,@). 

Lemma 5.3 lin-MSAT(0, |, @) and N-MSAT(0, @) are in NP. 

From the lower bounds in Lemma 5.1 and the upper bounds in Theorem 
2.1 (4) and Lemma 5.3, we obtain the following theorem. 

Theorem 5.4 Let {O} C O, and O C {<>,□, |,@}. Then lin-MSAT(O) and 
N-MSAT(O) are NP-complete. 

In addition to the NP-membership of the fragments captured by Theorem 
5.4, we are interested in their model-theoretic properties. We show that these 
logics enjoy a kind of linear-size model property, precisely a quasi-quadratic 
size model property: over the natural numbers, every satisfiable formula has a 
model where two successive nominal states have at most linearly many inter- 
mediary states, and the states behind the last such state are indistinguishable. 
This property allows for an alternative worst-case decision procedure for sat- 
isfiability that consists of guessing a linear representation of a model of the 
described form and symbolically model-checking the input formula on that 
model. Over general linear frames, which may have dense intervals, we formu- 
late the model property in a more general way and prove it using additional 
technical machinery to deal with density. However, the result then carries over 
to the rationals, where we are not aware of any upper complexity bound in the 
literature. 

In [19], Sistla and Clarke showed a variation of the linear-size model 
property for LTL(F), which corresponds to H£(0, □) over N: whenever 
ip G HC(0, □) is satisfiable over N, then it is satisfiable in the initial state 
of a model over N which has a linear-sized prefix init and a remainder final such 
that final is maximal with respect to the property that every type (set of all 
atomic propositions true in a state) occurs infinitely often, and final contains 
only linearly many types. Such a structure can be guessed in polynomial time, 
represented in polynomial space and model-checked in polynomial time. While 
it is straightforward to extend Sistla and Clarke's proof to cover nominals and 
the @ operator, it will not go through if density is allowed (frame class lin). 
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We establish that MV.C(0, □ , @) over lin has a quadratic size model prop- 
erty, and we subsequently show how to extend the result to the other fragments 
from Theorem 5.4 and how to restrict them to N. 

Theorem 5.5 MV.C(0, n, @) has the quasi- quadratic size model property with 
respect io lin and N. 

The proof can be found in Appendix D. 

As an immediate consequence, the model property in Theorem 5.5 carries 
over to the subfragmcnts MH£(0, □ ), MH£(0, @), MHC{u, @), MHC{0), 
MUCiu), MHC(@), and MV.C{%). Moreover, our arguments in the proofs of 
Theorems 4.3 and 4.12 can be used to transfer it to MH£(n,l, @). Together 
with the observations that 

• MH£(0, 1, @) is no more expressive than MUC^, @) (see the explanation 
before Lemma 5.3), and 

• MV.C(0, □, 4) is no more expressive than MH£(0, □) (because, without @, 
one cannot jump to named states), 

we obtain the following generalisation of Theorem 5.5. 

Corollary 5.6 Let O C {O, D,i, @}. Then MV.£(0) has the quasi- quadratic 
size model property with respect to lin and N. 

6 Conclusion 

We have completely classified the complexity of all fragments of hybrid logic 
with monotone Boolean operators obtained from arbitrary combinations of four 
modal and hybrid operators, over linear frames and the natural numbers. Ex- 
cept for the largest such fragment over linear frames, all fragments are of elemen- 
tary complexity. We have classified their complexity into PSPACE-complcte, 
N P-complete and tractable and shown that the tractable cases are complete for 
either NC 1 or LOGSPACE . Surprisingly, while the largest fragment is harder 
over linear frames than over (N, <), the largest O-free fragment is easier over 
linear frames than over (N, <). 

The question remains whether the PSPACE-complcte largest fragment over 
(N, <) admits some quasi-polynomial size model property. Furthermore, this 
study can be extended in several possible ways: by allowing negation on atomic 
propositions, by considering frame classes that consist only of dense frames, 
such as (Q, <), or by considering arbitrary sets of Boolean operators in the 
same spirit as in [14]. For atomic negation, it follows quite easily that the 
largest fragment is of non-elementary complexity over (N, <), too, and that 
all fragments except O = (□,!, @) are N P-complete. However, our proof of 
the quasi-quadratic model property does not immediately go through in the 
presence of atomic propositions. Over (Q, <), we conjecture that all fragments, 
except possibly for the largest one, have the same complexity and model prop- 
erties as over (N, <). 
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Appendix 

A Proof of Theorem 4.5 

Theorem 4.5 N-MSAT(n, @) is NC 1 -complete. 

Proof. NC 1 -hardncss follows from Theorem 4.2. 

For the upper bound, we distinguish occurrences of nominals that are either 
free, or that are bound by a □, or that are bound by an @. Simply said, a free 
occurrence of i in a is bound by □ in Da and bound by @ in (even if 
x i). Since the assignment g is not relevant for the considered fragment, we 
write K, w \= a for short instead of K,g,w \= a. 

Claim A.l Let a' be the formula obtained from a by replacing every occur- 
rence of a nominal that is bound by □ with _L, and let n be a valuation. If 
r), k \= a, then r\,k \= a' . 

Proof of Claim. We use induction on the construction of ip. The base case 
for ip G Prop U Nom is straightforward, as is the inductive step for <p = a V (3 
and p — a A /3, and even for p = @ x a. It remains to consider the case <p> = Da. 
If r/, k \= Da, then for all k' > k: r),k' \= a (by semantics of □) and by inductive 
hypothesis follows for all k' > k: r\, k' \= a'. Assume that in □ (a') there occurs 
a nominal i that is bound by the initial D-operator. Since for all k > k' 
holds r], k' |= a', there is some £ > maxU jgN0M rj(j) with r],i\^ a'. Therefore 
r), I |= a'[i/A.], and by the monotonicity of a' and the properties of 77 it follows 
that for all k' > k holds r), k! |= a'[i/A.]. In this way, all nominals bound by 
the initial D-operator can be replaced by _L, and it follows that 77, k \= (□(«'))'. 
Since (□(a'))' = (Da)', the claim follows. O 

Claim A. 2 ip e N-MSAT(n, @) if and only if i] Q ,0 \= p with r] Q (x) = {0} for 
every x £ NOM. 

Proof of Claim. We use induction on the construction of p. The base case 
for <p> e Prop U Nom is straightforward, as is the inductive step for p = a V (3 
and p — a A /3, and even for p = @ x a. It remains to consider the case <p> = Da. 
If 770,0 h <P, then p e N-MSAT(D,@). If Da G N-MSAT(n, @), then there 
exists k such that r], k \= (Da)' (for some 77, by the claim above). Let a* be 
the formula with (Da)' = D(a*). By the semantics of □ we obtain that there 
exists k such that for all k' > k holds r\,k! |= a*. By inductive hypothesis 
follows ElfcVfc' > k : r]o,0 \= a*, what is equivalent to 770,0 |= a*. Notice 
that a* contains no nominal. By the monotonicity of a, it follows that for all 
k e N holds 770, k \= a* . When we re-replace the _L's by the replaced nominals, 
the satisfaction is kept because of the monotonicity of a, and therefore for 
all k e N holds 770, k |= a. This implies 770, |= Da, which eventually yields 
ip e N-MSAT(D,@). ' O 

Both claims together yield that, in order to decide p G N-MSAT(n,@), it 
suffices to check whether 770,0 |= ip'. No nominal in ip' occurs bound by a 
□-operator. Therefore for every subformula Da of <p' and for every k holds: 
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r]o, k |= a if and only if 770, \= a. All nominals that occur free or bound by an 
@ evaluate to true in state via 770- Therefore, in order to decide r]o,0 \= <p' , it 
suffices to ignore all □ and ©-operators of <p' and evaluate it as a propositional 
formula under assignment 770 that sets all atoms of <p' to true. This can be done 
in NC 1 [6]. □ 

B Proof of Theorem 4.8 

Theorem 4.8 N-MSAT(n,i) is NC 1 -complete. 

Proof. NC 1 -hardncss follows from Theorem 4.2. 

For the upper bound, we distinguish occurrences of state variables as the 
occurrences in the proof sketch above. They are either free, or they are bound 
by a □, or they are bound by \.. Note that this phrasing differs from the 
standard usage of the terms 'free' and 'bound' in the context of state variables. 
A free occurrence of i in a is bound by □ in Da, as above. It is bound by 4- in 
li.a only. Notice that y occurs free in \x.y (for x ^ y). 

Claim B.l Let a' be the formula obtained from a by replacing every occur- 
rence of a state variable that is bound by □ with _L, and let g be an assignment. 
If g,k \= a, then g,k \= a' . 

Proof of Claim. We use induction on the construction of p. The base 
case for p g SVar is straightforward, as is the inductive step for p = a V (3, 
ip = a A /3, and for p = \.x.a. It remains to consider the case p> = Da. Let 
g, k |= Da for k G N. Then for all k! > k: g,k' \= a (by semantics of □) and by 
inductive hypothesis follows for all k' > k: g,k' \= a'. Assume that in D(a') 
there occurs a state variable i that is bound by the initial n-opcrator. Since 
for all k' > k holds g,k! |= a', there is some I > max(J ;rg g VAR g(x) such that 
g,l |= a! . Therefore g,l |= a'[i/±], and by the monotonicity of a' it follows that 
for all k' > k holds g, k' |= a'[i/A.]. In this way, all state variables bound by 
the initial D-operator can be replaced by _L, and it follows that g,k\= (□(«'))', 
where (□«')' = (Da)'. O 

Claim B.2 ip e N-MSAT(n, I) if and only if go, |= ip, for go(x) = for every 
x e SVar. 

Proof of Claim. We use induction on the construction of p. The base 
case for ip g SVar is straightforward, as is the inductive step for p = a V (i, 
<p = a A (3, and for ip = \.x.a. It remains to consider the case <p = Da. 

If Da G N-MSAT(D,@), then there exists k such that g,k \= (Da)' (for 
some rj and g). Let a* be the formula with (Da)' = Da*. By the semantics 
of □ we obtain that there exists k such that for all k' > k holds go, k' \= a*, 
and therefore a* G N-MSAT(n,4)- By inductive hypothesis follows go,0 \= a*. 
Notice that a* contains no free state variable. Therefore for all k G N holds 
go,k |= a*. When we re-replace the _L's by the replaced state variables, the 
satisfaction is kept, and therefore for all k G N holds go,k \= a, which eventually 
implies g ,0 \= Da, i.e. go, |= p. O 
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Both claims together yield that in order to decide ip G N-MSAT(n, \), it 
suffices to check whether g n ,0 \= <p'. No state variable in ip' occurs bound by 
a D-operator. Therefore for every subformula Da of p 1 and for every k holds: 
go, k |= a if and only if go , \= a. All occurrences of state variables in <p' that 
are bound by I evaluate to true, because no □ occurs "between" the binding 
1% and the occurrence of i, which means that the state where the variable is 
bound is the same as where the variable is used. All free occurrences of state 
variables evaluate to true in state due to g - Therefore, in order to decide 
go,0 |= <p' , it suffices to ignore all □ and 4,-operators of <p' and evaluate it as 
a propositional formula under an assignment that sets all atoms to true. This 
can be done in NC 1 [6]. □ 

C Proof of Theorem 4.12 

Theorem 4.12 N-MSAT(n, I, @) is in LOGSPACE . 

For this upper bound, we will establish a characterisation of the satisfaction 
relation that assigns a unique assignment and state of evaluation to every sub- 
formula of a given formula (p. Using this new characterisation, we will devise 
a decision procedure that runs in logarithmic space and consists of two steps: 
it replaces every occurrence of any state variable x in ip with 1 if its state of 
evaluation agrees with that of its |x-superformula, and with otherwise; it 
then removes all □-, J,- and ©-operators from the formula and tests whether 
the resulting Boolean formula is valid. 

In what follows, we want to restrict assignments to the finitely many free 
state variables occurring free in a given formula p. For this purpose, we define 
the notion of a partial assignment g : V — > N for ip where V is a finite set 
of state variables with Free^, C V, i.e., g is defined for all state variables 
free in (p. Here we include subscripts of the ©-operator in the notion of a 
free state variable: for example, ix.@ x @ y z has free state variables y, z. The 
satisfaction relation |= for partial assignments is analogously defined to the 
definition in Section 2. For a partial assignment g for ],x.a and i G N, it holds 
that g,i \= \.x.a iff gf, i \= a. Clearly, if g is a partial assignment for \x.a, then 
gf is one for a. 

The definition of the satisfaction relation implies that the satisfaction of 
Da at g, i depends on the satisfaction of Da at infinitely many states (natural 
numbers) in g. However, we will now show that the latter can be reduced to 
satisfaction in the smallest natural number to which g does not bind any state 
variable. This will later imply that satisfiability of a given formula ip can be 
tested by evaluating its subformulas in their uniquely determined states g, i of 
evaluation. 

Given a partial assignment g : V — > N, define n g = max{g(x) | x G V} + 1. 

Lemma C.l For every p G M.%L(D, @), every partial assignment g for ip 
and every i G N, it holds that g,i\= Up iff g,n g \= p. 

We will prove this lemma later, using the following lemma. 



Goller, Meier, Mundhenk, Schneider, Thomas, WeiB 



23 



Lemma C.2 Let ip G MW.£(u, I, @), let i,j G N 7 and let g,h be partial as- 
signments for ip that satisfy the following two conditions: 

(i) g-'^^h-^j). 

(All state variables free in <p and bound to i by g are bound to j by h.) 

(ii) For all a, b G Free^: if g(a) = g{b), then h(a) = h(b). 

(Whenever g binds two state variables free in ip to one and the same state, 
so does h.) 

Then g,i f= <p implies h,j f= ip. 

Proof. We proceed by induction on ip. In the base case ip G SVar, we obtain 
the desired implication directly from (i). For the induction step, we distinguish 
between the possible cases for the outermost operator of ip. The Boolean cases 
are straightforward; the other cases are dealt with as follows. 

• In case ip = nip, the following chain of (bi-)implications holds. 

g, i |= Dip ^ W > i : g, i' \= ip 

=> h,n h \=ip 

=> yf>j-h,f\=ip 
<^ h,j h n-0 

The first "=>" is immediate in case i < n g . Otherwise, if i ^ n g , observe 
that <7 _1 (i+l) = = g~ 1 (n g ). Hence we can apply the induction hypothesis 
(IH) to ip,i+l,n g ,g,h because g is also a partial assignment for ip, the as- 
sumption (i) of the IH is satisfied, and (ii) follows from the assumption (ii) 
for <p,i,j,g,h. 

The second "=>" is due to the IH applied to ip, n g , rih, g, h. Its assumption 
(i) is satisfied because g~ 1 {n g ) = = /i _1 (n^), and (ii) follows from the 
assumption (ii) for ip,i,j,g,h. 

The third "=>" is due to the IH applied to ip, nh,j, h, h. Its assumption (i) 
is satisfied because /i _1 (n^) = = h~ x (j), and (ii) is obvious because h = h. 

• In case ip = \.x.ip, the following chain of (bi-) implications holds. 

g,i \= ix.ip gf,i |= ip 

h, j \= Ix.ip 

The implication in the middle is obtained by observing that gf, hf are partial 
assignments for ip because g, h are partial assignments for ip, and applying 
the IH to ip,i,j,gf,hj. Its assumption (i) is satisfied because of the follow- 
ing chain of equalities and inclusions, whose middle step follows from the 
assumption (ii) for ip,i,j,g,h. 



(gf)- 1 ® = g~\i) u W c h~\i] u {x} = (h^U) 
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Assumption (ii) of the IH is satisfied for the following reason. Let a,b G 
Free,/, with g(a) = g(b). In case a = b = x, both (gf)(a) = (gf){b) and 
(ft*) (a) = (hj)(b) hold. In case a = x and b ^ x, we have that (gf)(a) = 
(gf)(b) implies (gf)(b) = i, which implies g(b) = i because b =/= x. This implies 
h(b) = j due to the assumption (i) for (p,i 7 j,g,h and because b G Free^,. 
Hence (ftj)(a) = (hj)(b). The case a ^ x and b — x is analogous to the 
previous one, and in case a/i and b ^ x, we have that (gf)(a) = (gf)(b) 
implies g(a) = g(b), which implies h(a) = h{b) due to the assumption (ii) for 
ip,i,j,g,h. Hence (ftj)(a) = (ft?) (6). 

• In case ip = @ x .ip, the following chain of (bi-) implications holds. 

g,i\= @ X V g,g(x) \= ip 
=> ft, ft(x) |= v 
^ ft, j |= @ x ^> 

The implication in the middle is obtained by observing that g, ft are also 
partial assignments for ip, and applying the IH to ijj,g(x),h(x),g,h. Its 
assumption (i) is satisfied: consider y e g~ 1 (g(x)). Then g(x) = g{y), which 
implies h(x) = h(y) due to the assumption (ii) for ip,i,j,g,h. Hence y & 
ft _1 (ft(a;)). This establishes g^ 1 (g(x)) C h^ 1 (h(x)). The assumption (ii) for 
the IH follows from the assumption (ii) for ip,i,j,g, ft. 

□ 

Before we can prove Lemma C.l, we observe the following consequence of 
Lemma C.2. 

Corollary C.3 For every ip G M.WC(\3, \., @), every partial assignment g for 
ip and every i e N with .g _1 («) = 0, it holds that g,i \= ip implies g,j \= ip for 
all j e N. 

Proof. It suffices to observe that the assumptions of Lemma C.2 are satisfied 
by p,i,j,g,g with j G N arbitrary, (i) follows from g _1 («) = 0, and (ii) holds 
trivially because g = g. □ 

We can now proceed to prove Lemma C.l (V<^, g, i : g, i \= Dip g,n g \= 

Proof. [Proof of Lemma C.l] For the direction "=>", assume that g,i \= Dip, 
i.e., for all j > i, it holds that g,j \= ip. In case i < n g , the consequence 
g,n g \= ip is immediate. Otherwise, in case i ^ n g , we conclude g,i + 1 |= ip 
from g, i \= Dip. Since g _1 (« + 1) = in this case, we can use Corollary C.3 to 
conclude that <?, j \= <p for all j G N, and in particular for j = n g . 

For the direction "<(=", assume that g,n g \= p. Then Corollary C.3 implies 
that g, j \= (p for all j G N, and in particular for all j > i. Hence g,i (= Dip. □ 

Using Lemma C.l, we are now in a position to show that every satisfiable 
formula is satisfied by a canonical assignment <?q in the state 0. We will fur- 
thermore use the characterisation of satisfaction for □-formulas in Lemma C.l 
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to establish that the question whether #o,0 |= p can be reduced to checking 
satisfaction of ip's subformulas in uniquely determined states and assignments. 

Let p G AdH^Oji, @). The canonical assignment g$ for p is the partial 
assignment for ip that maps all x G Free v to and is undefined for all other 
state variables. 

Theorem C.4 Let ip G MHC{u,i,@). Then p> G N-MSAT(n, |, @) iff 
3o ,0 h ¥>■ 

Proof. The "if" direction is obvious. The converse is a consequence of the 
following claim. 

Claim C.5 For every (p G MH£(a, I, @), every partial assignment g for p 
and every i G N: if g 7 i \= p, then g% , |= <p. 

Proof of Claim. We proceed by induction on tp. The base case <p — x G 
SVar is true because g^,0 \= x holds. For the induction step, the Boolean 
cases are straightforward. The other cases are treated as follows. 

• In case p = Dtp, the following chain of implications holds. 

g,i \= Dip => g,n g |= tp 
=> gt, 1 h V; 

=> 9^ 1 \= "0 
=> .9o V ,0 \=Uil> 

The first implication is due to Lemma C.l, and the second uses Lemma 
C.2 for tp,g,gQ,n g ,l: remember that g,g$ are for ip, and observe that the 

assumptions of Lemma C.2 are satisfied because g~ 1 (n g ) = = (g$ ) (1) 
and g^(a) = = g${b) for all a, b G Free,/,. The third implication holds 
because g$ — gfi, and the fourth uses Lemma C.l. 

• In case p = \.x.ip, the following chain of implications holds. 

g,i \= ix.ip gf,i \= ip 
=> gt,o\=1> 

=> (g^r ,o\=ip 

«*• g^O^ix.iP 

The first "=>" is due to the induction hypothesis, and the second uses g$ = 

• In case p = @ x ip, the following chain of implications holds. 

g,i \= @ x ip g,g(x) h ^P 
=> gt,0\=1> 

g$,0^@ x ip 
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The first "=>" is due to the induction hypothesis, and the second uses g^ = 
(<?q )q; note that g$ — g$ does not necessarily hold because x might not be 
free in ip. 

O 
□ 

Using Theorem C.4 and Lemma C.l, we can now assign a unique assignment 
and state of evaluation to every subformula of a given formula (p. This will 
lead us to characterize satisfiability of a given formula <p by validity of the 
Boolean formula obtained from <p by (a) replacing every free state variable x 
with or 1, depending on the compatibility between unique assignment and 
state of evaluation for x, and (b) removing all non-Boolean operators. After 
establishing this criterion, we will show that the transformation can be achieved 
deterministically in logarithmic space. 

Fix a formula (p e MH£(n,l,@) whose satisfiability is to be tested. We 
denote subformulas of <p as pairs (ip,p), where p £ N denotes the position of 
ip in (the string that represents) ip. This is necessary to distinguish between 
different occurrences of the same subformula in (p. The position of a subformula 
is always the position of its first character in the string representing ip. If the 
subformula is (a A (3) or (a V /3), then the position of the opening parenthesis 
is relevant. Consequently, ip has always position 0. 

For a position p in ip, denote by nexti(p) and next2(p) the position of the 
immediate subformulas of the subformula at position p: if the subformula of ip 
at p is 

• (a V /3) or (a A (3), then nexti(p) and next2(p) are the positions of a and /3, 
respectively; 

• Da, \.x.a or @ x a, then nexti(p) is the position of a, and next 2 (p) is undefined; 

• is any other formula, then both nexti(p) and next2(p) are undefined. 

We now define a unique state of evaluation SE v (t/;,p) for a subformula ip of 
ip at position p recursively on p as follows. 

• SE^,0) = (. 9 £,0). 

• For o e {A,V}, if SE v ((a o f3),p) = (g,i), then SE v (a, nexti(p)) = 
SE*(/3,next 2 (p)) = (<M). 

• If SE ¥> (na,p) = (g,i), then SE' p (a, nexti(p)) = (g,n g ). 

• If SE v (|x.a,p) = (g,i), then SE (p (a, nexti(p)) = (gf,i)- 

. If SE^(@ xa ,p) = (g,i), then SE^(a, next^p)) = (g,g(x)). 

Observe that the first component in SE v (tp,p) is always a partial assignment 
for -0. 

Now consider a subformula (x,p) of (p with x € SVar and SE' p (x,p) = (g, i). 
We define a function rep v mapping x to T if g(x) — i (i.e., x is satisfied at 
5E v (x,p)), and to _L otherwise. Using rep v , we now recursively define a func- 
tion boo\ v mapping subformulas of ip to Boolean formulas with only monotone 



Goller, Meier, Mundhenk, Schneider, Thomas, WeiB 



27 



operators and without propositional variables: 

boo\ v (x,p) = rep v (x,p), x £ SVar 
bool v (c,p) = c, ce{T,_L} 
bool^a o /3, p) = bool v (a, nexti(p)) o bool v (/3, next 2 (p)), o e {A, V} 
boo\ v (Aa,p) = bool ¥ '(a, nexti(p)), A E {n,lx,© x } 

Furthermore, let bool(i^) = bool v (i/?, 0). 

Lemma C.6 Let ip e AiHC(o,l.,&). For all subformulas (ip,p) of p, it holds 
that SE^ (tp , p) \=ip iff bool ¥ '(V',p) is valid. 

Proof. We proceed by induction on ip. Let SE v (ip,p) = (g,i). The base 
case ip = x follows from the definition of boo\ v (x,p) and rep v (x,p). For the 
inductive step, the cases ip = T, _L follow from the definition of bool v . The 
other cases are as follows. 

• In case ip — a V (3, we observe the following chain of equivalent statements. 

g, i \= a V (3 ^> g,i \= a or g,i\= (3 

& SE v (a, nexti(p)) |= a or SE v (/3, nexti(p)) |= (3 

boo\ ip (a, nexti(p)) is valid or SE V ((3, nexti(p)) is valid 
bool^a, nexti(p)) V SE v (/3, nexti(p)) is valid 

<(=> bool v (a V/3,p) is valid 

The second equivalence is due to the definition of 5E V , the third uses the 
induction hypothesis, and the fifth is due to the definition of bool v . 

• The case ip = a A (3 is analogous. 

• In case ip = Oa, we observe the following chain of equivalent statements. 

g,i\=aa <=> g, n g \= a 

SE v (a, nexti(p)) |= a 
bool (p (a, nexti(p)) is valid 
4=> bool ¥ '(na,p) is valid 

The first equivalence uses Lemma C.l, the second is due to the definition of 
SE V , the third uses the induction hypothesis, and the fourth is due to the 
definition of boo\ v . 

• The cases ip = ix.a and ip — @ x a are analogous to the previous one, but 
with the first equivalence via the definition of satisfaction. 

□ 

Theorem C. 7 Let ip e MHC(n,l,@). Then ip G N-MSAT(n, |, @) iff 
bool(<^) is valid. 
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Proof. The following chain of equivalences holds. 

ip is satisfiablc gfi , |= ip 
o SE^,0) 

bool^ (ip, 0) is valid 
boo\(ip, 0) is valid 

The first equivalence follows from Theorem C.4, the second uses the definition 
of SE V , the third is due to Lemma C.6, and the fourth uses the defintion of 
bool. □ 

The function bool is a reduction of N-MSAT(n, l, @) to the formula value 
problem for Boolean formulas with only monotone operators, which is in NC 1 
[6]. The correctness of this reduction is shown in Theorem C.7. To establish 
that N-MSAT(D,4,,@) e LOGSPACE, it remains to show that boo\(ip) can be 
computed in logarithmic space. The procedure BOOL, which will accomplish this 
task, will traverse its input formula ip from left to right, and send the character 
c read at position p to the output unchanged, unless one of the following two 
cases occurs. If c belongs to a □-, Lx.-, or ©^-operator, then c is ignored. If 
c is a free state variable x, then rep' p (x,p) is computed and sent to the output 
instead of c. Given the definition of bool, boo\ v and rep v , this is obviously a 
correct decision procedure provided that rep v (x,p) is computed by a correct 
subroutine REP, which we still have to describe. The procedure BOOL is given 
in Algorithm 1. 

Algorithm 1 Procedure BOOL 
Require: tp i MHC{u, |, @) 
Ensure: output bool(^) 

p <- 

while p < \tp\ do 

if an operator □, |x. or @ x starts at position p then 

p <— position immediately following that operator 
else if a state variable x starts at position p then 

output REP(ip,x,p) 

p position immediately following x 
else 

output character at position p 
p <- p + 1 
end if 
end while 



To compute rep ¥ '(a;,p) using the procedure REP, we make the following cru- 
cial observation about states of evaluation. The operators □ and @ x are jump- 
ing operators: SE v (nV>, •) and SE V (V', •) may differ in their second component; 
the same holds for SE v (@ x ip, •) and SE v (tp, •). Such a difference does not occur 
between formulas starting with one of the other operators \x., A, V, and their 
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direct subformulas. This observation can be used to compute rep v (x,p) be- 
cause that value depends on the question whether there is a jumping operator 
between the position q where x is bound and the position p of x. Assume that 
this binder \jc. leads the subformula ^x.ip, and that SE^^x.ip, q) — (g,i) and 
SE v (x,p) = (h,j). We distinguish the following cases. 

Case 1. If there is no jumping operator between (x,p) and (],x.ip,q), then it 
follows from the definition of SE^ that g(x) — i, g(x) — h(x), and i = j 
all three statements can be shown inductively on the positions in p. They 
imply that h{x) = j, hence rep v (x,p) = T. 

Case 2. Let o be the last jumping operator occurring between positions q and 
p. More precisely, let r be the position between q and p such that 

• the operator o at position r is a jumping operator, 

• that operator is in the scope of (\.x.,q) and has (x,p) in its scope, and 

• there is no jumping operator in the scope of (o,r) that has (x,p) in its 
scope. 

Let o# be the subformula at position r. 

Case 2.1. If o = □, then the definition of SE V implies that SE v (cu?,r) = 
(g, n g ) for some partial assignment g. Since x is not bound between r and 
p, and since no jumping operator occurs between r and p, we conclude 
from the definition of SE V that h(x) ^ n g and j = n g . Hence h(x) ^ j, 
and rep v (x,p) — _L. 

Case 2.2. If o = @ y , then let (ly.rj, s) be the subformula "above" @ y $ that 
binds y, with SE v Qy.ri) = {g',i') and SE ¥ '(@ y .i?) = (h',f). 

Then it holds that (a) g(x) — h(x), due to the definition of SE V and 
because x is not bound between q and p, and (b) j = h(y) = h'(y) = g'(y), 
which follows from the definition of SE V for ©^-formulas and the fact that 
y is not bound between s and p. Therefore we have that rep' p (x,p) = T 
iff g(x) — g'(x). This new criterion compares states of evaluations of 
subformulas at smaller positions in <p, and it can be decided applying the 
same case distinction to those two subformulas. 

We therefore obtain a recursive procedure REP for deciding whether rep v = 
T. For every recursive call according to Case 2.2, a pair of subformulas at 
smaller positions in ip is compared. Therefore, the recursion has to terminate 
after at most \ip\ steps. Since the result of a recursive call does not need to 
be processed any further, REP can be implemented using end-recursion, i.e., 
without a stack. Together with the fact that only a constant number of po- 
sition counters are needed (and, consequently, determining the last jumping 
operator between two positions in ip can be implemented in logarithmic space) , 
Algorithm 2 runs in logarithmic space. The previous considerations imply its 
correctness. 



Theorem 4.12 N-MSAT(d, I, &) is in LOGSPACE 
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Algorithm 2 Procedure REP 

Require: <p G A4H£(n, |, @), free state variable x in <p at position p 
Ensure: output rep v (x,p) 

let (ix.ip, q) be the ,|,x.-superformula of ip at position q in ip 

call subroutine REP ' (ip, (lx.ip,q), (x,pj) 



Algorithm 3 Procedure REP ' 

Require: ip G A4HC(D, subformulas (a,p), (f3,q) of ip 

Ensure: output T if second components of SE v (a,p) and SE v ((3,q) agree, _L 
otherwise 

if there is no jumping operator between (a,p) and ((3,q) then 
return T 

else if the last jumping operator between (a,p) and (13, q) is □ then 
return _L 

else if the last jumping operator between (a,p) and (/?,<?) is @ y then 
let (4-J/-7, s) be the subformula of (p where y is bound 
if q < s then 

call subroutine REP ' (ip, (lx.ip,q), (Xy.j,s)) 
else 

call subroutine REP ' (tp, (ly. 7, s), (lx.tp,q)) 
end if 
end if 



D Proof of Theorem 5.5 

Theorem 5.5 MH£(0, □ , @) has the quasi- quadratic size model property with 
respect to lin and N. 

We will develop a "quasi-quadratic size model property" for the logic 
MHC^, □, @) over lin, and we will subsequently show how to extend the 
result to the other fragments from Theorem 5.4 and how to restrict them to N. 
In the appendix, we even sketch how to obtain an NP decision procedure for 
these fragments over lin, N and the frame class {(Q, <)}. 

Consider an arbitrary model K = (W, <,??), and call all states in the range 
of g nominal states. For every non- nominal state w G W, let 5(w) be the num- 
ber of states between w and the next nominal state s. If the next nominal state 
is a direct successor, then 5(w) = 0; if there are infinitely many intermediary 
states — i.e., at least a part of the interval between w and s is dense — , then 
5(w) = 00. For every m ^ 0, we now define an equivalence relation = TO on W 
as follows, w = m w' if either w — w' or both w, w' are non-nominal states and 
5(w) > m and S(w') > m. Figure D.l gives an example for m — 3; equivalence 
classes are denoted by dashed rectangles. The ij are nominal states, and of 
the 8 states between ii and 13, the rightmost three form separate equivalence 
classes, and the others form a single equivalence class. The intuition behind 



Goller, Meier, Mundhenk, Schneider, Thomas, WeiB 



31 



Legend: (w) >(v) : v is a direct successor of w 



:©— -»©! 



w and v are begin and end of a dense interval 
w and v are in the same equivalence class 

Fig. D.l. An example for m = 3 

this equivalence relation is that w and w' cannot be distinguished by formulas 
of modal depth < m. 

If w = m w' , we call w and w' m-inseparable, and we denote the equivalence 
class of w w.r.t. = m by [w] m . The definition of = m has the consequence [w] m C 
[iy] m _i, for all m > 0. 

It is possible to enforce dense parts in satisfying models, for instance via the 
following formula, which is satisfiable in a linear structure only if that structure 
ends with a state satisfying the nominal j, and that state needs to be the end 
point of a dense interval. This formula is therefore not satisfiable over N. 

ip d = iAOOj AD(jVOOj) 

For this reason, an equivalence class can also consist of infinitely many states. 
In the case of a model satisfying (fid, all points between i and j belong to the 
same equivalence class because all these points have an infinite distance to j. 

The following lemma states that m-inseparable states cannot be distin- 
guished by formulas of modal depth ^ m. 

Lemma D.l For every m ^ 0, every formula <p G MW£(0, D,&) with 
md(ip) < m, every linear model K = (W,<,rf), and all w,w' 6 W with 
w = m w': 

K,w \= ip K, w' \= <f. 

Proof. We proceed by induction on the structure of ip. The case for nominals 
is obvious because nominal states are m-inseparable only from themselves. The 
Boolean cases are straightforward. 

f = Oip. For symmetry reasons, it suffices to show "=>". Let K, w \= Otp and 
w = m w'. Then there is some v > w with K, v \= ip. We now distinguish 
several cases of how w,w',v are located in relation to each other. 
w' < w. Then w < v implies w' < v, and hence K, w' \= Otp. 
w ^ w' < v . Then, still, w' < v, and hence K , w' \= Otp. 
w < v ^ w' . Since w = m w', we have w = m v = m w' . In case |[w] m | < oo, 
there are exactly m states between [ii^] m and the next nominal state. Let 
v' be the <-least of them; then w = m -i v = m -i w> =m-i v'. Since 
md(V') = m — 1, we get K, v' \= ip via the induction hypothesis. Hence, 
K,w' \= Otp. 
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In case \[w] m \ — oo, we conclude that at least a subinterval of [w] m 
is dense, and therefore w' has a successor v' in [w] m C [u>] m _i. We can 
continue the argument as in the previous case. 

ip = Dip. As above, it suffices to show "=>". Let K, w \= Dip and w = m w' . 
Then, for all v > w, we have that K, v \= ip. Again, we consider the two 
cases \ [w} m \ < oo and \ [w] m \ = oo, and fix the same v' as above. Since v' is 
(to — l)-inseparable from w and w' , ip is also satisfied by all states in [w] m . 
Therefore, K, v \= ip for all v > w' , hence, K, w' \= nip. 

ip = @iip. Then K, w \= @iip ^> K, v \= tp for any v <^> K, w' \= @iip. 

□ 

We now use this inseparability result to reduce a satisfying model in size 
such that it can be represented in polynomial space. Fix a formula if with 
md(ip) = to and a linear model K with K,w \= ip for some state w. If it 
were not possible to enforce dense intervals, it would suffice to collapse ev- 
ery m-equivalence class of K to a single point, i.e., the quotient model of K 
w.r.t. = m would satisfy ip at [w] m . This would serve our purpose over N. In 
contrast, an infinite equivalence class (IEC) — which has to contain a dense 
subinterval — needs to remain dense for the next lemma to work. For a uniform 
representation, we replace any IEC with a copy of (0, 1)q, the open interval of 
all rationals between and 1. Since a dense interval can be of higher cardinality 
than (0, 1)q — just consider K, for example — , we cannot expect to map every 
point of an IEC M to a point in the associated copy of (0, 1)q. Instead, we 
use a surjective partial morphism / : (M, <) — > (0, 1)q, i.e., a partial function 
that satisfies the equivalence x = y 4=> f(x) = f(y) for all x,y 6 M and whose 
range is all of Q. These conditions ensure that every x s dom(/) has a succes- 
sor y G dom(/) with f(x) < f(y). Such a function always exists: since every 
IEC [w] m contains a dense subinterval, it also contains an isomorphic copy of 
(0,1)q- 

The refined "quotient" model K m = (W m ,< m ,ri m ) is now constructed as 
follows. For every infinite [w] m , let [w] m be a fresh copy of (0, 1)q. We set 

• W k = |+J [w] m W{[w] m : \[w] m \ < oo} 

|[Hm|=00 

• [w] m < m [v] m if [w)m and [v] m are finite and w' < v' for some w' G [w] m 
and v 1 e [v] m 

• q <m q' if q, q' € [w] m for some w with \ [w] m \ = oo, and q < q' on (0, 1)q 

• q <m [v] m if q & [w]m f° r some w with \ [w] m \ = oo, [v] m is finite, and w < v' 
for some v' S [v] m 

• [w] m < m q' if q' € [v] m for some v with \ [v) m \ = oo, [w] m is finite, and w' < v 
for some w' £ [w} m 

' Vm(i) = [V(i)]m 

We also define a model reduction function for if to be a surjective partial 
function / : K — > K m with the following conditions. 
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• If \[w] m \ < oo, then f(w') — [w] m for all w' G [w] m . 

• If \[w] m \ = oo, then /(«/) = g(w ') for all w' G [tw] m , for some surjective 
partial morphism g : [w] m — > [w] m - 

Lemma D. 2 For every m ^ 0, every formula ip G A4HC(0, □, @) wit/i 
md(</?) ^ m, every linear model K = (W,<,r]), every model reduction func- 
tion f for K and all w G dom(/): 

K,w\=(f <=> K m ,f(w)\=p. 

Proof. We proceed by induction on ip. The atomic and Boolean cases are 
straightforward again. 

p = Oip. Let K, w \= p. 

Case 1: | [w] m | < oo. Let w' be the <-greatest member of [w]k- Due to 
Lemma D.l, K, w' |= Oip. Therefore there is some v > w' with K, v \= tp 
and v ^ m w. If \[v] m \ < oo, then v G dom(/), and the induction hy- 
pothesis yields K m ,f(y) \= ip. Since w < v with v ^ m w, we obtain 
f(w) < m f(v), hence K m ,f(w) \= ip. If \[v] m \ = oo, we use [v] m C [v] m -i 
and conclude from Lemma D.l that K, v' \= ip for all v' G [v] m . Take such 
a v' with w' G dom(/) and apply the induction hypothesis as in the case 
\[v] m \ < oo. 

Case 2: |[w] m | = oo. Since K, w \= <p, there is some v > w with K, v \= ip. 
If v ^ m w, then we argue as in Case 1. Otherwise, we use Lemma D.l to 
conclude that K, v' \= ip for all v' G [w] m . Since the restriction of / to [w] m 
is a surjective morphism and (0, 1)q is dense, there is some v' > w with 
v 1 G [w] m , v' G dom(/) and f(w) < m f(v'). From K, v' \= ip we conclude 
via the induction hypothesis that K mi f(v') \= ip, hence K mi f(w) \= Oip. 

p = nip. Let K, w \= Dip, i.e., K, v \= ip for all v > w. Then K, v \= ip for 
all v with v G dom(/) and f(v) > rn f(w). Due to the induction hypothesis, 
K m ,f(v) \= ip for all v with v G dom(/) and f(v) > m f(w). Since / is 
surjective, we have K m ,v' \= ip for all v' G W m with v' > m f(w). Hence 
K m ,f{w) h Dip. 

ip — @ t ip. Let K, w (= @iip, i.e., K,n{i) \= ip. Then K m ,i] m (i) |= ip due to the 
induction hypothesis and the definition of K m . Hence K m , f(w) \= @iip. 

□ 

At this point, it is important to notice that, if K is a model over N, then so 
is K m . Therefore, Lemma D.2 gives us a quasi-quadratic size model property 
for M.T-LC{0, □, @) over lin as well as N - and also over {(Q, <)}, see appendix. 
We say that a model K is of size quasi- quadratic in an integer m if every 
interval between two consecutive nominal states in K consists of at most m 
states, possibly with one preceding isomorphic copy of (0, 1)q. We furthermore 
say that a fragment MULiO) has the quasi- quadratic size model property with 
respect to a frame class 3" if, for every ip G ^-MSAT(O), there exists a model 
over a frame in $ that is of size quasi-quadratic in md(ip) and satisfies p. 
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Theorem 5.5 A47i£(0, □, @) has the quasi- quadratic size model property with 
respect to lin and N. 

Proof. Let K = (W, <,rj) be a linear model and u> G W with K, Wq |= v 5 - 
Consider ip' = i A (p for a fresh nominal i. Let m = md(i^) = md(ip'). Then 
ip' is satisfiable in the wo of the model K' obtained from K by interpreting i 
in wq- Now take an arbitrary model reduction function / for K', which has to 
have wq in its domain, and apply Lemma D.2 to obtain K m , f(wo) \= <p'. □ 



